Overview

overview

10

Static

static

Payment 05-08-22.exe

windows7-x64

10

Payment 05-08-22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2022 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment 05-08-22.exe

  • Size

    341KB

  • MD5

    54827a45e0eec3ecb462066523d63e6c

  • SHA1

    7c7a87429e9533c14497c799c085825ca68f5b4a

  • SHA256

    ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63

  • SHA512

    0c305685f8f3f1df118fcd75bac38c6c28205ea2690576231f5ae4df69b6d9ea685ec29d1fc1bcaa5c2309d94053addcccab8078cf77a30748ed5ccb32036116

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5410455012:AAE1SHAu8VAoPkLETxqziCFDZfyqp8DD7SA/sendMessage?chat_id=2008035906

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment 05-08-22.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment 05-08-22.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\binn1.exe
      "C:\Users\Admin\AppData\Local\Temp\binn1.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\binn1.exe
    Filesize

    126KB

    MD5

    d7ae412c7b211a55aab4d7c64dff870b

    SHA1

    4b9a99d232afe69495afd82913090eeaba815fe4

    SHA256

    025c3a4174f86308877f3e0545849acc881ccc82bafefb5d949169337568081c

    SHA512

    ee557c31f76724040f888b901073fae5f6e74da5dd4cc3d71310f1bfaceef6e924c603b7eff0de18b0b30e8e3dca387a8b90659714cef3b328716b00a5022218

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\binn1.exe
    Filesize

    126KB

    MD5

    d7ae412c7b211a55aab4d7c64dff870b

    SHA1

    4b9a99d232afe69495afd82913090eeaba815fe4

    SHA256

    025c3a4174f86308877f3e0545849acc881ccc82bafefb5d949169337568081c

    SHA512

    ee557c31f76724040f888b901073fae5f6e74da5dd4cc3d71310f1bfaceef6e924c603b7eff0de18b0b30e8e3dca387a8b90659714cef3b328716b00a5022218

    Download Submit

  • memory/1752-54-0x00000000011A0000-0x00000000011F8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1752-55-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1908-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1908-59-0x0000000000AE0000-0x0000000000B06000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1908-60-0x0000000075F81000-0x0000000075F83000-memory.dmp

    Filesize

    8KB

    Download